Cyber Threat Brief — May 5 2026
⚠️ This report is AI-generated. Always validate findings.
1. Copy Fail Linux Local Privilege Escalation — CVE-2026-31431
TL;DR: A 9-year-old logic bug in the Linux kernel’s authencesn crypto template gives any local user deterministic root via a 732-byte Python PoC. CISA KEV-listed; multiple public exploits now circulating on GitHub.
What’s New:
- CVSS 7.8 — local, low complexity, no privileges required beyond code execution
- Abuses AF_ALG socket +
splice()to perform controlled 4-byte write into page cache of any readable file (e.g.,/etc/passwdUID field →0000) - Multiple GitHub PoCs now public (rootsecdev, Naimadx123, dontstopnowbaby repos)
- CISA KEV added May 1; federal remediation deadline May 15
- Affects all major distros shipped since 2017 (kernel commit from
authencesnin-place optimization)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
AF_ALG socket creation (socket(AF_ALG, SOCK_SEQPACKET, 0)) | Exploit primitive | T1068 | Sysdig / auditd (syscall) | Alert on AF_ALG socket creation by non-root users |
splice() syscall targeting readable setuid binaries | Exploit primitive | T1068 | auditd / eBPF | Monitor splice calls referencing /etc/passwd or setuid bins |
Delayed algif_aead module load (300+ sec after boot) | Behavioral indicator | T1068 | kernel module logs / auditd | Alert on late AF_ALG module loading post-boot |
su entries in auth.log with missing invoking username | Post-exploitation | T1078.003 | /var/log/auth.log | Hunt for su records without source user |
/etc/passwd modification (UID field changed to 0000) | Impact | T1098 | FIM (AIDE/OSSEC/Wazuh) | Alert on any /etc/passwd UID modification |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for AF_ALG + splice page-cache poisoning pattern |
| Elastic | ”Privilege Escalation via UID/GID Modification” (partial) | Misses the exploitation primitive; only catches post-exploit passwd change |
| Sigma | None | No AF_ALG socket + splice correlation rule exists |
Sources: Microsoft Security Blog, Wiz Research, Sysdig, GitHub PoC
2. Apache MINA Deserialization Bypass RCE — CVE-2026-42779
TL;DR: Incomplete fix in Apache MINA’s classname allowlist lets attackers bypass deserialization filters for pre-auth RCE (CVSS 9.8). Patch branches failed to merge — versions 2.1.0–2.1.11 and 2.2.0–2.2.6 remain vulnerable.
What’s New:
- Logic error in
AbstractIoBuffer.resolveClass(): static/primitive type branch skips allowlist, callsClass.forName()unfiltered - Bypass of prior fix CVE-2026-41635 due to failed branch merge (repo management error)
- CVSS 9.8, pre-auth, network-exploitable against any MINA-based service accepting serialized objects
- Fixed in MINA 2.1.12 and 2.2.7
- No known ITW exploitation yet, but trivial to weaponize given prior deserialization tooling (ysoserial)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Java deserialization payloads on MINA service ports | Exploit payload | T1190 | Network IDS / PCAP | Deploy Snort/Suricata sigs for Java serialization magic bytes (aced0005) on MINA ports |
ObjectInputStream class loading of unexpected classes | Exploitation | T1059.004 | JVM logs / EDR | Monitor for unusual class instantiation in MINA processes |
| Outbound connections from MINA service post-exploitation | C2 | T1071.001 | Firewall / netflow | Baseline MINA service network behavior; alert on new outbound |
| Process spawns from MINA/Java process (cmd.exe, /bin/sh) | Post-exploitation | T1059 | EDR / Sysmon | Alert on shell spawns from Java processes running MINA |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | ”Java Deserialization Attack” (generic) | Not MINA-specific; no allowlist bypass detection |
| Elastic | ”Suspicious Java Child Process” | Catches post-exploitation only, not the deser payload |
| Sigma | ”Java Payload Execution” (proc_creation) | No network-layer rule for serialized object on MINA ports |
Sources: Lyrie Research, TheHackerWire, SecurityOnline
3. Sentry SAML SSO Account Takeover — CVE-2026-42354
TL;DR: Missing cross-org IdP validation in Sentry lets attackers create a malicious SAML IdP, send a crafted assertion with any victim’s email, and fully impersonate them — no credentials or user interaction needed.
What’s New:
- Attacker spins up org on vulnerable Sentry instance, configures malicious IdP
- Crafted SAML assertion with victim’s email → Sentry links victim account to attacker’s IdP session
- Full account takeover: access to error tracking data, source maps, PII in stack traces
- No password, no 2FA bypass needed — the linking occurs before auth challenge
- Fixed in Sentry 26.4.1 (self-hosted); SaaS instances patched
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| New SAML IdP configurations from recently-created orgs | Precursor activity | T1556.007 | Sentry audit logs | Alert on IdP config changes from orgs < 24h old |
| SAML assertions linking existing user emails to new IdPs | Exploitation | T1556.007 | Sentry auth logs / SAML debug logs | Hunt for identity linkage events across org boundaries |
| Multiple accounts linked to single IdP in short timeframe | Mass exploitation | T1078 | Sentry audit logs | Threshold alert on rapid account-IdP linkages |
| Login from new IdP session without prior password auth | Account takeover | T1078.004 | Sentry access logs | Correlate IdP-linked logins with missing password events |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Sentry-specific content |
| Elastic | None | No Sentry SAML monitoring rules |
| Sigma | ”SAML Response Manipulation” (web_proxy) | Generic; doesn’t cover Sentry’s cross-org linking pattern |
Sources: GitHub Advisory GHSA-ggmg-cqg6-j45g, DailyCVE
4. Windows NTLM Coercion via LNK — CVE-2026-32202 (APT28)
TL;DR: Incomplete patch of APT28’s zero-day (CVE-2026-21510) still allows NTLM hash coercion when Explorer renders a folder containing a malicious .lnk — zero-click, actively exploited by Fancy Bear. CISA KEV deadline May 12.
What’s New:
- Original SmartScreen bypass patched, but SMB connection initiation on folder render was NOT addressed
- Explorer auto-initiates SMB auth to attacker server when rendering folder with crafted LNK
- Zero-click: victim only needs to open/browse a folder containing the malicious LNK
- APT28/Fancy Bear confirmed exploitation; Kimsuky also exploiting CVE-2024-1708 (ScreenConnect) in parallel campaign
- CISA KEV added late April; FCEB remediation deadline May 12, 2026
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Outbound SMB (445/tcp) to external IPs triggered by Explorer | NTLM coercion | T1187 | Firewall / Sysmon EventID 3 | Block outbound SMB to non-internal IPs; alert on Explorer-initiated external SMB |
.lnk files with UNC paths pointing to external hosts | Delivery | T1204.002 | EDR / Sysmon EventID 11 | Scan for LNK files referencing external UNC paths |
| NTLM auth attempts to unknown external servers | Credential theft | T1187 | Windows Security 4648 / netflow | Alert on NTLM negotiation to non-domain controllers |
explorer.exe connecting to external IPs on 445 | Exploitation | T1187 | Sysmon EventID 3 | Dedicated rule for explorer.exe outbound SMB |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | ”Detect Outbound SMB Traffic” / “NTLM Authentication to External Hosts” | Exists but needs tuning for Explorer-as-source specifically |
| Elastic | ”NTLM Authentication to External IP” | Partial — doesn’t isolate Explorer-triggered coercion |
| Sigma | ”Outbound SMB Connection from Explorer” (net_connection) | Community rule exists; verify deployment |
Sources: Akamai Research, SecurityOnline, The Hacker News